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<57) A lightweight secure tunnelling protocol or LS iV permits communicating across one or more firewalls 
by using a middle server or proxy. Three proxies are used to establish en end-to-end connection that navigates < 
through the firewalls. In a typical configuration, a server 21 1 is behind a first firewall 23 and a client 222 behind : 
a second firewall 25 are interconnected by an untrusted network 12 (e.g., the Internet) between the firewalls. A 
first Inside firewall SOCKS-aware sen/er^ide end proxy 213 connects to the server 21 1 inside the first firewall 
23. A second inside firewall SOCKS-aware cllent-stde end Proxy 223 is connected to by the client 222 inside the 
second firewall 25. Both server-side and client-side end proxies 213, 223 can address a third proxy (called e 
middle proxy) 26 outside the two firewalls 23, 25. 
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Fl«ld of tha Inwmfe4«.. 



The present invention generally relates to packet switched network 
communications and. more particularly, a method and apparatus which 
provides the ability to allow a TCP/IP client situated outside of an 
organization's -firewall- to address a server inside the firewall 
even when the firewall i, configured to not allow outside clients to 
address the inside server. 



on 



The Internet is a collection of networks throughout the world which 
faexlxtates the sharing of resources among participating organizations, 
including government agencies, educational institutions and private 
corporations. These networks use the Transmission Control 
Protocol/infmet Protocol (TCP/IP) protocol suite and share a common 
address space. Thus, computers on the Internet use coi.5«tible 
communications standards and share the ability to contact each other and 
exchange data. Users of the Internet communicate mainly via electronic 
n«il (e-mail), via Telnet, a process that allows users to log in to a 
r«ote host, and via in^l««nt.tion. of the Pile Transfer Protocol (FTP) . 
a protocol that allows them to transfer information on a remote host to 
their local site. 

security is a major concern when connecting a network, such as a 
local area network (LMI) to the Internet. One of the more important 
concerns is intruders attempting to gain access to local hosts. A common 
method for preventing these types of intrusions is to install a so-called 
•fxrewall- which is a secure single point of attachment to the Internet. 
Thas Single point of attachment takes the form of a firewall host which 
allows only certain traffic to pass through a. specifics by the firewall 
adrnxnistrator. In a typical firewall host iii^lementation. a user wanting 
to transfer a file on a host in the LAN to an external host via the 
internet first transfers the file to the firewall host and then logs into 
the firewall and transfer the file to the external host, while this 
procedure provides a high level of security for a single user. 
. maintaining security becomes difficult as the number of users requiring 

access to this host increases. For general infonnation on firewalls, see 
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William R. Cheswick and Steven M, Bellovin, Firewalls and Internet 
Security, Addison-Wesley (1994) • 

A transport layer proa^ architecture, called SOCKS, was created in 
an atten?>t to minimize security problems' while allowing access by a large 
number of users. See, for exaii?>le, David Koblas and Michelle R. Koblas,. 
■SOCKS-/KNXX Security Syn^osixm, USENIX Association (1992), iq?. . 77-83, 
and Ying-Da Lee, "SOCKS: A protocol for TCP proxy across firewalls", 
http://www.socks.nec.com/socks4.protocol, and M. Leech, M. Ganis, Y. Lee, 
R. Kuris, D. Koblas, and L. Jones, "SOCKS Protocol Version 5", 
ftp://ds.intemic.net/rfc/rfcl928.txt. In a transport layer proxy 
architecture, one end system behind the firewall, which is called the 
^ client, initiates a session by making a connection to the proaQr* which 

can be thought of as residing on the firewall. The client and proxy use 
15 the connection to exchange messages negotiating session setup information 

such as authentication or proxy request (e.g., the foreign host to 
connect to for a firewall proxy or the URL (Uniform Resource Locator) to : 
fetch for an HTTP (Hypertext Transfer Protocol) ptoxy) . The proxy then 
carries out the request, cammoiily opening a connection to another end- 
system, typically outside the firewall, which is called the server, as 
directed by the client. The proxy may exchange session setup information 
with the server over the connection. After session setup has been 
c<»5>leted on both connections, the proxy begins to copy data back and. 
forth between the two connections and does not delete from, add to, or 
25 alter the information flowing between the hosts (although it may silently 

keep a copy of the information, as in the case of irTTP caching proxies) . 

Often, an employee inside an organisation wishes to allow an 
■outside" client to address his or her "inside" server. In this case, 
since the en^loyee trusts the outside client, he or she may wish to 
bypass the controls put in place on the firewall so that the trusted 
outside client can address the trusted inside server. 
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It is an object of the present invention to provide a technique 
which alleviates the above drawbacks - 

According to the present invention we provide a packet switched 
network communications system con^rising: a first network including at 
least one server running a server application; a second network 
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including at least one client running a client application; a first 
firewall guarding coii?)uter resources of one of the first and second 
networks and including a software application that enables the first 
firewall to make connections from inside to outside the first firewall; 
a server end pr«Qr and * server application that are autually 
addressable; a client end projiy and a client a«>plication that are 
nmtually addressable; and a middle prosQr outside the first firewall and 
in an untrusted network between the first and second networks, the server 
end proaqr and the client end pronv each making connections to the middle 
pr«qr through the first firewall and the middle proj^ connecting the 
connections frean the server end proaqr and the client end pr«qr to 
establish a pass through communication tunnel bettraen the client and the 
server. 

Further, according to the present invention, we provide, in a 
packet switched network coannunications system including a first network 
including at least one server running a server aK>lication. a second 
network including at least one client running a client application, a 
first firewall guarding coqputer resources of one of the first and second 
networks and including a software application that enables the first 
firewall to make connections from inside to outside the first firewall, a 
server end proxy addressable by the server application, a client end 
proxy addressable by the client application, and a middle proxy outside 
the first firewall and in an untrusted network between the first and 
second networks, a method of connecting the server end proxy and the 
client end proxy to the middle proxy through the first firewall and the 
middle proxy connecting the connections from the server end proxy and the 
client end proxy to establish a pass through communication tunnel between 
the client and the server, the method comprising the steps of s starting 
the middle proxy and waiting for a first connection from an end proxy; 
starting the client end proxy and opening a connection to the middle 
proxy by sending client setup information to the middle proxy; storing 
by the middle proxy the end proxy setup information and then waiting for 
a second connection; starting the server end proxy and opening a 
connection to the middle proxy by sending end proxy setup information to 
the middle proxy; pairing by the middle proxy the connections of the 
client end proxy and the server end proxy and transmitting server and 
middle proxy setup information to the client end proxy and client and 
middle proxy setup information to the server end proxy; and the ndddle 
proxy thereafter acting as a pass through between the client end and 
server end proxies. 
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According to a preferred embodiment of the invention, there is 
provided a lightweight secure tunnelling protocol or hSTP which permits 
communicating across one or more firewalls by using a middle server or 
proxy. Hore particularly, the basic system uses three proxies, one 
S middle piroxy and two end proxies, to establish an end*to-end connection 

that navigates through two firewalls. In this conf igxiration, a server 
behind a first firewall and a client behind a second firewall are 
interconnected by an untrusted network (e.g., the Internet) between the 
firewalls. A first inside firewall SOCKS-aware end server*side proxy 
10 connects to the server inside the first firewall. The client inside the 

second firewall connects to a second inside firewall SOCKS -aware client- 
side end proxy. Both server -side and client -side end proxies can address 
) a third proxy (called a middle proxy) outside the two firewalls. The 

middle proxy is usually started first, as the other two proxies (server 
15 and client end proxies) will initiate the connection to the middle proxy 

some time after they are started. Since the middle proxy is mutually 
addressable by both inside end proxies, a complete end-to-end connection 
between the server and client is established. It is the use of one or 
more middle proxies together with an appropriate protocol like LSTP that 
20 establishes the secure coxmminications link or tunnel across multiple 

firewalls. 

^ Bgj^f Deacription of the DrawingB 

2^ The foregoing euid other objects, aspects and advantages will be 

better understood from the following detailed description of a preferred 
embodiment of the invention with reference to the drawings, in which: 

Figure 1 is a block diagram illustrating the typical interaction 
30 between a client application and a server application when the server is 

behind a firewall; 

Figure 2 is a block diagram illustrating the typical interaction 
between a client application cu&d a server application when the client is 
35 behind a firemll; 

Figure 3 is a block diagram illustrating a typical network 
configuration between two conqpaiiies or organizations each having networks 
behind firewalls; 

40 
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Figure 4 is a block diagram illustrating the three types of proxies 
used according to the invention to construct a secure conaminications 
channel or tunnel between two companies or organizations; 

i » ■ , • 

Figure S is a data flow diagram illustrating . the interaction 
between the client, middle and server proxies shown in Figure 4; 

Figure 6 is a table summarizing the Lightweight Secure Tunnelling 
Protocol (LSTP) according to a preferred embodiment of the invention. \ 

Figure 7 is a flow diagram of the process perform^ on an end 

proxy;. ■ ■ ■ • 

Figure 8 is a flow diagram of the process perfozaed m a middle 

Figure 9 is a block diagram illustrating an alternative sotoodiment 

of the invention where the server proxy connects to the client projqr over 
a single f irewall; . and ' 

Figure 10 is a block diagram illustrating another alternative 

embodiment of the invention in which SOCKS-aware clients allow secure 
communications over two firewalls. 

Ptalled DescrtotiaB t>rmemrr^ in^ti^n 

Referring now to the drawings, and more particularly to Figure i; 
there, is shewn two networks 11 and 12 separated by a firewall 13. -Ihe 
firewall 13 is used to guard the first network 11 against malicious 
activity originating from outside the firewall, network 11 is, in this 
illustration, Conpany A', private network, and network 12 is typically 
the Internet. In this exanple. network 11 is represented by a server 111 
running a server application and a client 112 running a client 
application. The client application running on client 112 behind the 
firewall 13 can address the server application running on server 111, but 
a client application running on client 122 outside the firewall 13 cannot 
address the server application running on server 111 since this 
connection is blocked by the firewall. That is. the purpose of the 
firewall 13 is to guard the computer resources of Company A. in this 
case, network 11 which may comprise many servers and clients connected 
together on a local area network (LAN) . 



In Figure 2, there is shown a similar arrangement except that there 
is a server 121 running a server application in network 2. As in Figure 
1, the client application running on client 112 can still address the 
server application running on server 111. If enabled to allow 
connections from inside to outside, the firewall 13 will also allow the 
client application running on client 112 to connect to the server 
application running on server 121 outside the firewall 13. The common 
software package called SOCKS mentioned above enables firewalls to make 
coimections trtm inside to outside as shown in Figure 2. 

Figure 3 again shows two networks but this time the second network 
14 is Con^any B's private network which is behind a second firewall 15- 
Thus, firewall 15 is designed to protect Company B's con^iuter resources 
from malicious activity originating from outside firewall 15. In this 
illustration, a client application running on a client 142 behind 
firewall 15 nay attes^t to address the server application running on 
server 111 behind firewall 13 via the Internet 12. However, while 
firewall 15 may have the SOCKS capability to allow client application 
running on client 142 to connect outside the firewall 15, firewall 13 
prevents the connection to the server application running on server 111. 

Often, an employee inside an organization wants to allow an 
■outside" client application to address an "inside" server; e.g., to 
allow the client application miming on client 142 to address the server 
application running on server 111 in Figure 3. In this case, the 
employee trusts the outside client application and wishes to bypass the 
controls put in place on their company's firewall that prevent the 
trusted outside client from addressing the inside server. This invention 
provides a solution for this situation. 

The invention will be described, without loss of generality, in 
terms of an implementation in the X Windows System. The X Windows System 
is a standardized set of display-handling routines, developed at MIT for 
UNIX workstations, that allow the creation of hardware -independent 
graphical user interfaces (GDIs) . In the example described first, two 
firewalls are addressed. The initial implementation builds on the SOCKS 
package which enables SOCKS-aware programs inside a SOCKS gateway to 
connect to servers outside the SOCKS gateway. 
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Figure 4 shows the three types of proxies used to construct a 
secure tunnel and their placement in the network configuration according 
to the present invention. Network 21. Conipany A's private network or 
intranet, is protected tv firewall 23. and network 22. Company B«s 
private network or intranet, is protected by firewall 25. Behind 
firewall 23 is an X-server 211, part of Conpany A's private network, and 
behind firewall 25 is an X-client 222. part of Conipany B's prii^te 
network. Both firewalls 23 and 25 have SOCKS capability to allow 
•inside" clients to connect to "outside" servers. The X-client 222 has 
within its addressable dentin behind Company^ B's firewall 25 a client end 
proxy 223 that has the ability to listen for X protocol. Tbe client end 
proxy 223 appears as a local X-server to the X-client 222. so no 
modifications are needed to the X-client 222. 

A similar situation exists behind Conoany A's firewall 23 where a 
server end proxy 213 exists within the addressable domain of the X-server 
211. The server end proxy 213 is able to connect to the X-8erv«r 211 
just as a real X-client would. The server end proxy 213 appears as a 
local X-client to the X-server 211 so. again, no n»dif ications are needed 
to the X-server 211, 

A middle proxy 26 is started first, as the end pe«ties will 
initiate connections to the middle proxy. MEhe eilSnt ^nd'IproS^ 223 and 
the server end proxy 213 make use of existing capability (e.g.. SOCKS) to 
•Hake requests through a firewall frcm the inside *o the o«t«ia». Since 
the mxddle pra^ 26 is mutually addressaM. blT botti »d pK«i„ (u.ing 
SOCKS on each firewall), a complete end-to-end connection between the X- 
client 222 and the X-server 211 can be established through the middle 
proxy 26. 

The middle proxy 26. which appears as a server to both the client 
end proxy 223 and the server end proxy 213. is a key feature of the 
invention. As such, both the client end pro^ 223 and the server end 
proxy 213 can address the middle proxy 26 through their respective 
firewalls 25 and 23. For cascaded or „«ltiple middle proxies, the middle 
proxies may actually address other middle proxies as opposed to being 
addressed by end proxies. The initial connection is made using the 
standard TCP/IP connection mechanism. Each established connection, no 
matter which program initiate! it. is a TCP/IP connection and is 
therefore duplex. This invention provides a Lightweight Secure 
Tunnelling Protocol (LSTP) which is used on top of TCP/IP to provide for 
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proper sequencing of tunnel management events. LSTP is -spoken" between 
the client end, server end and middle proxies not just during tunnel 
construction, but through out the entire tunnel lifetime. 

•Hie triggers for the end proxies 213 and 223 to initiate a 
connection to the middle proxy 26 is manually controlled by someone who 
has access to the c<ai?>uter where the end proxies 213 and 223 are running- 
The end proxies 213 and 223 can establish a connection to the middle. . 
proxy 26 anytime after the middle proxy is started. The middle proxy 26 
will receive and store the setup information sent to it by the first i/' 
connecting end proxy. 

When the middle proxy has two matching connections, one from a • | 
client end proxy 223 and one from a server end proxy 213, the middle 
proxy 26 will join the two connections and act like a transparent pipe, 
effectively establishing a connection between the two end proxies. From 
this time forward, the middle proxy 26 is in a pass through mode, and one 
end proxy initiates a security handshake with the other end proxy to | 
secure the tunnel. .1 

The X-client 222 can now initiate a connection to and passes data 
to the client end proxy 223 just as if it were connected directly to the 
X-server 211 . The initial data from X-client 222 causes LSTP messages to 
flow through the tunnel established by the two end proxies 223 and 213 
and the middle proxy 26 ii^ich then causes server end proxy 213 to 
initiate a connection to X-server 211. The data from X-client 222 is 
then passed through the tunnel and presented to the X-server 211. 
Neither the X-client 222 nor the X-server 211 have any indication that 
they are not talking directly to each other. Data flows in both 
directions; from the X-server 211 to the X-client 222 and from the X- 
client 222 to the X-server 211. At this point, additional clients could 
connect to the client proxy and use the same or request a new tunnel 
connection. 

To summarize, the server-side end proxy can connect to the inside X 
Windows System server and the outside middle proxy, and the X Windows 
System client can connect to the client-side end proxy which can then 
connect to the outside middle proxy for the X-client, Due to the fact 
that an established connection is duplex in nature, and due to transitive 
closure, the X Windows System client can address the X Windows System 
server as if there were no firewall (i.e., as if they were on the same 
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addressable network) . Those skilled in the art will recognize that the 
functionality of the end proxies can be increased to allow for other 
protocols and services. For exainple. one end proxy could provide both 
client and server end proj^ functionality. 

Figure 5 is a data flow diagram illustrating the interaction 
between the client, middle and server proxies, itoe process assumes that 
the middle proxy has been started and it is waiting for the first 
connection. The client end proxy is started and opens a connection to 
the middle proxy ay sends client setup information to the middle pr«qr. 
^Setup information-! is a general term describing two pieces of the LSTP 

^ U «i<i«31e proxy stores the end pro^ setup information and 

uU.>oVU «»^ts for the second connection. The server end proxy is started and 

^K^U <^ *^ * connection to the middle proxy, and the server end proxy sends 
^ ^ ^ ^^''^ information to the middle proxy. The middle proxy pairs 

pro-*^^ '^'^*»«»its server and middle proxy setup information 

ll^T.^t^'"'' '"^'^ ^ "^^^ "tup information to 

^0 
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M the server end pros^. 



30 



At this point in the process, the middle proxy ceases any active 
role in the connection and acts as a pass through b.tw«» the client «xd 
and server end proxies, once che connection has been established, either 
one of the end proxies can initiate a security handshake. An algorithm 
in each end proxy uses the setup information to decide which end proxy 
initiates the security handshake, m Figure 5, the client end proxy i, 
shown as transmitting a security handshake that is pa..«> to the server 
end proxy. The server end proxy responds with a security handshake that 
xs passed to the client end proxy. When this security protocol has been 
acconplished, additional setup information is re-transmitted over a 
secure line to coBplete the tunnel construction. Thos. .kill«J i„ the 
art will recognize that an alternative sequence of events could be used 
to establish end to end security over the tunnel. With the connection 
between the client application and the server application completed, and 
data can securely pass in both directions between the two using a 
protocol such as the Lightweight Secure Tunnelling Protocol (LSTP) 
described below. As a result, the client and server applications have 
effectively had their addressability extended. 

Tbe server and client proxies 213 and 223 handle (l) 
authentication, encryption, and integrity. (2) firewall pass through, and 
(3) data compression. The middle proxy 26 acts as a two way pipe The 
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server end proxy 213 appears as an X client to the X server 211, while 
the client end proxy 223 appears as an X server to the X client 222. TSie 
server and client end proxies usually reside on the same machine as the X 
server and X client,, respectively. 

With this general overview, there are several inqolementation 
decisions which were made to inplement the secure tunnel between the two 
networks 21 and 22. First, in the exanqale illustrated, X Windows System 
clients and servers were used on each tunnel end and. as such, the end 
proxies are customized to listen for and respond to X protocols. Second, 
the Secure Sockets Layer (SSL) was chosen as the security protocol to 
secure the txinnel. SSL provides for data integrity, data privacy, and 
authenticity of the originating parties. Third, SOCKS was chosen as a 
mechanism to allow proxies to establish connections from inside the 
firewall to outside the firewall. Fourth, the Lightweight Secure 
Tunnelling Protocol (LSTP) was developed along with the tunnel to provide 
a means for formalizing tunnel construction, management, data flow 
control, and tunnel destruction. 

The Lightweight Secure Tunnelling Protocol (LSTP) according to the 
invention is the protocol used between the client proxy 223 and the 
middle proxy 26 and between the server proxy 213 and the middle proxy 26 
shown in Figure 4. In the preferred embodiment, LSTP includes the 
following meanings of and sequencing rules for requests and responses 
used for transferring data between and synchronizing the states of the 
proxies : 
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TM ft - 'Thxs information allows two end pzmies connect at 
different times to the same middle proxy. Th e middle proxy kn ows 
that these two end proxies should be paire d together becauseTKe y 
both provided the same caxmnbn iniormationT The unique information 
could be used to identiliy each ehd-^oxyiiser . 
TOPOLOGnr..^XCBftKR38 - This is information that describes the topology of 
the tunnel. Middle proxies append its topology (e.g.. name, 
address, etc.) information to any TOPOLOGY.EXCHANGE it receives and 
forwards the TOPOLOGY_EXCHANGE downstream to the end proxy. This 
provides each end proxy with a map of which proxies are 
participating in the tunnel. 
PROPBR!r7.EXCBMim - This mechanism allows for end proxies to exchange 
information about themselves. 
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C0HHK«IOH_RBQ0EST - n.is re<^est allows one end proxy to notify the 
other end proxy that a client application is requesting tunnel 
resources to be allocated for use by the client application. 
Requested resources may include 'niultiplexed- channels on an 
existing .tunnel connection or new tunnel connections in addition to 
established tunnel connections. 
««WC«o«^.and^^^ allow the pr«.y • 

. receiving a C«WECTION_RBQ0EST to either . accept or deny the request 
-.for tunnel resources. 
««VXCB_MCIH_R8QaB8, - This request allows an end proxy to notify the ' 
other end pro:q, that an application is beginning to send data and 
. therefore use the .gunnel resources that have been requ..t«J and/or 
allocated. . 

BBB^nCEM^^ and Wxcp_W01«CK - B«se responses allow an end 
proxy to accept or deny an application's request to begin using 
resources that have been allocated. 

BEBmCBj^ - rt.is message is used to send application data between two 
end proxies. .Each client/server application pair has a unique 
identifier included in its SERVXCELData H«ssage to allow multiple 
applications to multiplex their data over one TCP/IP connection. 

8BRVIC^«^P^ . message allows an end pro^ to tell the other 

end proxy to stop sending application data. 
BBB^^nc^J^^,^,^ . ^3^^^ ^^^^ ^ ^^^^ ^^^^^ 

end proxy to resume sending application data. 
.««VICB_FBE^BHQDE« -This request allows an end proxy to noti^ the 

other end proxy that an application is done and t«mel resources 
can be freed. 

rhts allow, an end proxy to shut down the tunnel gracefully by 
notifying, the other end projy. 

- This m^sage allows an end proxy to exchange error information, 

rhe LSTP is summarized in Figure 6. Note that the first three 
».8sages are used to manage tunnel setup and administration. 
To'"""''' information is comprised of varying combinations 

-nage tunnel connections, next six messages are used to manage 

l^r^l' " ''^'^'^^ ^ application, using the 

^ Lr T to transport application 

^ta he ween end proxies. The next two messages are used to manage 
appU atxon data, that is. flow control. The next three messages . 
used to manage clean up of tunnel resources no longer needed by an 
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application- Finally, the last message is used to manage error 
conditions. 

This Lightweight Secure Tunnelling Protocol (LSTP) was developed to 
facilitate tunnel resource management and life cycle. Those skilled in 
the art will recognize that another protocol encompassing similar 
features and fxinctionality could be created to accomplish the same goal. 

The end proxy flow diagram is shown in Figure 7. The process 
begins by connecting to a middle projcy in function block 701. The end 
proxy then sends its COMMONUNIQUE.INFO and TOPOLOGY.EXCHAGE setup 
information to the middle proxy in function block 702. Next, the end 
proxy receives other proxies COMMDNUNIQUE.INFO and T0P0LOGY.EXCHANGE set 
information from the Middle proxy in function block 703 . A master end 
proxy is chosen based on the TOPOLOGYJEXCHANGE setup information in 
function block 704. If this proxy is the master end proxy as determined 
in decision block 705, then a security handshake is initiated in function 
block 706; otherwise,, the end proxy waits for the security handshake in 
function block 707. Once the security handshake is complete in function 
block 708, the end proxy resends the COMMONONIQUE^INFO and 
TOPOLOGY_EXCHANGE setup information over the secured connection in 
function block 709. Then, in function block 710, the proxy again / 
receives the CCMMONUNIQUE.INFO and TOPOLOGY_5XCHMIGE setup information 
over the secured connection. If the end pros^ is a client end prosQ^r as 
determined in decision block 711, the proxy waits for the local client 
application to connect in function block 712. When the local client 
application is connected in function block 713, the connection is setup 
and managed using the Lightweight Secure Tunnel Protocol (LSTP) in 
function block 714, If, on the other hand, the proxy is a server end 
proxy as determined in decision block 711, the proa^ waits for the other 
end proxy to request a connection in function block 715. When the 
CONNECTION_REQUEST message is received from the other end proxy in 
function block 716, the connection is setup and managed using the 
Lightweight Secure Tunnel Protocol (LSTP) in function block 714- 

The middle proxy flow diagram is shown in Figure 8. The process 
begins by checking in decision block 801 whether there is a new 
connection tram a neighbouring proxy. If so, the new connection is 
accepted in function block 802, and then a determination is made in 
decision block 803 as to \(rtiether a matching COMMONDNIQUE^INPO message is 
stored from a previoxis coxmection. If not, the COMMONONIQUE.INFO and 
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base to another platform. In general, an end proxy, middle proxy, and 
another end proxy could make up a tunnel where each proxy is running on a 
different hardware/ software platform. The end and middle proxies both 
place relatively low demands on the resources of the con^mter they are 
running. on. 
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1. A packet switched network coinminications system comprising s 
a first network including at least one server running a server 

5 application; 

a second network including at least one client running a client 

application; 

a first firewall guarding conputer resources of one of the first 
and second networks and including a software application that enables the 
J 10 first firewall to make connections from inside to outside the first 

/ firewall; 

a server end proxy and a server application that are mutually 

) addressable ; 

a client end proacy and a client application that are mutually 

15 addressable ; and 

a middle proxy outside the first firewall and in an untrusted 
network between the first and second networks, the server end proxy and 
the client end proxy each making connections to the middle proxy through 
: the first firewall and the middle proxy connecting the connections from 
20 the server end proxy and the client end proxy to establish a pass through 

communication tunnel between the client and the server. 

-V 2, The packet switched network communications systCTi recited in 

claim 1 further conprising a second firewall guarding con«>uter resources 
of the other one of the second and first networks and including a 
software application that enables the second firewall to make connections 
from inside to outside the second firewall. 

• 3. The packet switched network communications system recited in 

30 claim 2 wherein the server end proxy, the client end proxy and the middle 

proxy constitute a tunnel having SOCKS server capability, the entire 
tunnel performing the job of a SOCKS server. 

4. In a packet switched network communications system including 
35 a first network including at least one server rxinning a server 

application, a second network including at least one client running a 
client application, a first firewall guarding computer resources of one 
of the first and second networks and including a software application 
that enables the first firewall to make connections from inside to 
40 outside the first firewall, a server end proxy addressable by the server 

application, a client end proxy addressable by the client application. 
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and a middle proxy outside the first firewall and in an untrusted network 
between the first and second networks, a method of connecting the server 
end proxy and the client end proxy to the middle proxy through the first- 
firewall and the middle proxy connecting the connections from the server 
5; end pro3cy and the client end proxy to establish a pass through 

; communication tunnel between the client and the server, the method 
> : • comprising. the steps of:. 

; . starting the middle proxy and waiting for a first connection from\;. 
an end proxy; 

starting the client end proxy and opening a connection to the. 
middle proxy by sending i client setup information to the middle proxy ; 

. • storing by the middle proxy the end proxy setup information and 
then waiting for a second connection; 

starting the server end proxy and opening a connection to the 
middle proxy hy sending end proa^r setup information to the middle proxy; 

pairing by the middle proxy the connections of the client end proxy 
and the server end proxy and transmitting server and middle proxy setup - 
information to the client end proxy and client and middle proxy seti^ 
information to the seiryer end proxy; and 

the middle proxy thereafter acting as a pass through between the 
client end and server end proxies. 
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of: 



The method recited in claim 4 further con^rising the steps 



after pairing by the middle proxy of the connections between the 
client end and server end proxies, exchanging by the client end and 
server end proxies security handshakes; and 

again exchanging setup information between the client end and 
server end proxies via the middle proxy over the secured line. 

.6. The method recited in claim 5 further comprising the step of 
releasing tunnel resources between the client end and server end proxies 
when data exchange between the client and server over the tunnel have 
been completed. 
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Text Of the First Office Action 

After examination, comments are given as follows: 

1 . Said "communication control session" referred to by claim 9 should be 
said "control communication session" in claim 1, but. claim 9 uses an 
inconsistent technical term» so claim 9 is 'not in conformity with the 
provision of Rule 21, para, three, of the Implementing Regulations of the 
Patent Law. 

: 

2. In claim 12, said "third server" in the expression "a third session 
between said third server and said one of said at least host" is not 
mentioned in the application, which should be a "second server", so claim 
12 Ts not in conformity with the provision of Rule 20, para, one, of the 
Implementing Regulations of the Patent Law. 

3. Claims 2-10 and 12-20 refer to claims 1 and 11 respectively, the titles 
of the subject matters in claims 2-10 and 12-20 are inconsistent with 
those of the claims as referred to, so claims 2-10 and 12-20 are contrary 
to the provision of Rule 23. paia. one, of the Implementing Regulations 
ofthePatwitLaw. 

Even if the applicant would overcome the aforesaid defects, claims 1-20 
are still contrary to the provisions of Article 22 of the Patent Law. The 
following comments are made based on such hypothesis: 

4. Claim 1 seeks protection for a system for communicating data using a 
data communication session between a user terminal and a host, reference 
document I (GB2323757A, pubhshed on September 30, 1998) discloses 
a tunnel-type network secure communication system used for 
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communicating data using a data communication session between a user 
terminal and a host, said user terminal being coupled to a first network 
and said host being coupled to a second network, said system comprising: 
a client end proxy (coiiesponding to a first server of claim 1) coupled to a 
first network, the client end proxy is equivalent to the local server of the 
user terminal; a server end proxy (corresponding to a second server of 
claim 1) coupled to a second network; and a middle proxy (corresponding 
to the internal firewall 20 of the present application); the middle proxy 
receives fi-om the server end proxy the control communication session 
setup information, and receives from the user terminal the data 
communication session setup information, the data communication 
session setup information is issued from the user terminal and is used for 
requesting a data communication session between the user terminal and 
the server; after the middle proxy receives the data communication setup 
information, only when the control communication session setup 
information issued from the server end proxy is received, a tunnel is 
formed between a server end proxy and a client end proxy and the data 
communication session is set up (See page 7, line 1 to page 10, line 23 of 
the description, and Figs. 4 and 5). Thus, it can be seen that reference 
document 1 discloses all the technical features of claim 1, and the 
technical solution as disclosed by the reference document and the claimed 
technical solution of claim 1 pertain to the same technical field and can 
produce the same technical effect. Therefore, claim 1 does not possess 
novelty over reference document 1 and hence is not in conformity with 
the provision of Article 22, para, two, of the Patent Law. 

5. Claims 2, 5 and 6 aU refer to claim 1, the additional technical features 
in the characterizing portions, thereof have already been disclosed by 
reference document 1, reffcrence document 1 discloses the following 
features: setting a^firewaU between the client end proxy and server end 
proxy (See page 7, lines 1-9 of the description and Fig. 4); the data 
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communication session setup infomation is transmitted from the cUent 
end proxy to the server end proxy through establishing the 
communicatioa control session (See page 8, lines 23-26 of the 
description); the client end proxy supports multiple data communication 
sessions between one or more user terminals and one or more hosts (See 
page 8, lines 31-33 of the description). Thus, it can be seen that claims 2, 
5 and 6 are not m conformity with the provision as to novelty of Article 
22, para, two, of the Patent Law over reference document 1 . 

6. Hie additional technical features in the characterizing portions of 
claims 3 and 7 are commonly^known in the art. For those skilled in the ait, 
the setting of a firewall and the content that the server end proxy supports 
multiple data communication sessions between one or more user 
terminals and one or more hosts are quite obvious. Therefore, claims 3 
and 7 do not possess prominent substantive features and notable progress 
over reference document 1 and hence are contrary to the provision as to 
inventiveness of Article 22, para, three, of the Patent Law. 

7. Claim 4 referring to claim 2 further defines that said first firewall has 
the fimction of denying all communication control session establishment 
requests other than those communication controls session establishment 
requests which are sent to said first server by the second server, in 
reference document 1, it is a middle proxy that realizes such fimction 
(See page 9, lines 6-18 of the description and Fig. 5). Althou^ such 
fimction is not accomplished in the firewall of reference document 1, the 
reference document given an enlightenment of assigning this fimcti Jn to 
the firewall. Therefore, claim 4 does not possess prominent substantive 
features and notable progress over reference document 1 and hence is 
contrary to the provision as to inventiveness of Article 22, para, three, of 
the Patent Law. 
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8. The additional technical features in the characterizing portions of 
claims 8-10 have already been disclosed by reference document 2 
(W09818248A1. published on April 30, 1998). reference document 2 
discloses a tunnel apparatus of data communication network including a 
firewall, the inside interface server within the firewall creates a "control 
connection" to the outside interface server, this control connection can 
only be formed under the control of the program running within the 
firewall and it sends a tnisted socket table to the outside interface server, 
the trusted socket table comprising a port to host address map (See page 4, 
line 36 to page 7, line 39 of the description and Figs. 1-5). Thus, it can be 
seen that claims 8-10 do not possess prominent substantive features and 
notable progress over reference document ! and hence are contrary to the 
provision as to inventiveness of Article 22, para, three, of the Patent Law. 

9. Claim 11 seeks protection for a method for communicating data using a 
data communication session between multiple user tenninals and at least 
one host via a first and second server, the steps of this method coirespond 
to the fimctions of the composing structures of the system in claim I one 
by one. Therefore, based on corresponding reasons and evidences as 
mentioned above in respect of claim 1 , claim 1 1 is not in conformity with 
the provision as to novelty of Arliole 22, para, two, of the Patent Law 
over reference document 1 . 

10. Part of the additional technical features of claim 12 have already been 
disclosed by reference document 1, reference document 1 discloses the 
data communication session is established via a first sessidn, a second 
session and a third session (See page 8, lines 5-34 of the description), 
^^ereas the content that the data is transferred between the first and 
second sessions via a first computing thread and the data is transferred 
between the second and third sessions via the second thread is commonly 
known in the art and this is obvious to those skUled in the art Therefore, 
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claim 12 does not possess prominent substantive features and notable 
progress over reference document 1 and hence is contrary to the provision 
as to inventiveness of Article 22, para, three, of the Patent Uw. 

11. The additional technical features in the characterizing portions of 
claims 13, 14 and 19 have already been disclosed by reference document 
1, reference document 1 discloses the foUowing features: the data transfer 
in each of the sessions, the transfer between sessions being bidirectional; 
sending the data communication connection setup information from the 
client end proxy to the server end proxy, the first and second sessions 
being estabUshed according to.said information; and the client end proxy 
supporting multiple data communication sessions between one ore more 
user terminals and one or more hosts (See page 8, lines 5-34 of the 
description). Thus, it can be seen that claim 13 does not comply with the 
provision as to inventiveness of Article 22, para, three, of the Patent Law 
over reference document 1, and claims 14 and 29 are not in conformity 
with the provision as to novelty of Article 22, para, two, of the Patent 
Law over reference document 1. 

12. .The additional technical feature in the characterizing portion of claim 
15 corresponds to that of claim 4. Therefore, based on corresponding 
reasons and evidences as mentioned above in respect of claim 4, claim 15 
is not in conformity with the provision as to inventiveness of Article 22, 
para, three, of the Patent Law over reference document 1. 

13. The additional technical features in the characterizing portions of 
claims 16-18 have already been disclosed by reference document 2,' 
reference document 2 discloses the following features: when the outside 
user sends to the outside interface server a request for connecting to the 
inside server, whether said request is directed to a trusted socket entry 
that is currently valid is decided on the outside interface server, if not, the 
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connecting request is refiised, if said request is directed to a trusted socket 
entry that is currently valid, the connecting request is allowed (See page 2, 
line 3 to page 3, line 32 of the description). Thus, claims 16-18 do not 
possess prominent substantive features and notable progress over 
reference documents 1 and 2 and hence are not in conformity with the 
provision as to inventiveness of Article 22, para, three, of the Patent Law. 

14. The additional technical feature in the characterizing portion of claim 
20 belongs to the common knowledge in. the art, for those skilled in the 
art, it is obvious that the server end proxy supports multiple data 
communication sessions betyveen one ore more user teiminals and one or 
more hosts. Therefore, claim 20 does not possess prominent substantive 
features and notable progiress over reference document 1 and hence is not 
in conformity with the provision as to inventiveness of Article 22, para, 
three, of the Patent Law. 

For reasons mentioned above, the independent claims and dependent 
claims of the present application do not possess novelty or inventiveness. 
In the meanwhile, the description fails to disclose any other substantive 
contents whici^ are patentable. Therefore, even if the applicant 
recombines the claims and/or makes further limitation in the light of the 
disclosure contained in the description, the application does not have the 
prospect of being granted. If the applicant cannot produce adequate 
reasons why the application does possess inventiveness within the time 
limit for response as specified in the Office Action, the application shall 
be rejected. 
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SECURED SESSION SEQUENCING PROXY SYSTEM AND METHOD 
THEREFOR 



Fikst Office Action 

(PCT application entering into the national ptiase) 

1 . 0 Under the provision of Art. 35. para. 1 of the Patent Law, the examiner has made an 
examination as to substance of the captioned patent application for invention 
upon the request for substantive examination filed by the applicant. 

□ Under the provision of Art. 35, para. 2 of the Patent Law, the Chines© Patent Office 
has decided to conduct an examination of the captioned patent application for 
invention on its own Initiative. 



2. 0 The applicant requests that 
the filing date Mnv 1ft 1999 



at the _US Patent Office be taken as the 



priority dote of the present application, 

the filing date at the Patent Office be taken as the priority date of the 

present application, 

the filing date at the _ 

present application. 



Patent Office be taken as the priority date of the 



3. □ The follovwng amended documents submitted by the applicant cannot be 
accepted for failure to conform with Art. 33 of the Patent Law: 

□ the Chinese version of the annex to the international preliminaiy examination report. 

□ the Chinese version of the amended documents submitted according to the 
provision of Rule 19 of the Patent Coope«3tion Treaty. 

n the amended documents submitted according to the provision of Rule 28 or Rule 41 
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of the Patent Cooperation Treaty. 
□ the amended docunnents submitted according to the provision of Rule 51 of the 
Implementing Regulations of the Patent Law. 

See the text portion of this Office Action for detailed reasons why the amendment 
cannot be accepted. 

4. a Examination is conducted on the Chinese version of the Inrtiolly-submitted 

inlemational application. 
10 Examination is conducted on the following document(s): 

13 page — Ljj — ©f the description, based on the Chinese version of the Initially- 
submitted intemotional application documents; 

P°9e of the description, based on the Chinese version of the annex to the 

international preliminary examination report; 

page . of the descrlptioh. based on the amended documents submitted 

according to the provision of Rule 28 or Rule 41 of the Patent Cooperation Treaty; 

page of the description, based on the amended documents submitted 

according to the provision of Rule 51 of the Implementing Regulations of the Patent 
Law. 

13 claim($) based on the Chinese version of the initially-submitted 

international application documents; 

claim(s) based on the Chinese version of the amended documents 

submitted according to the provision of Rule 19 of the Patent Cooperation Ti^aty; 

cla,m(s) __ , based on the Chinese version of the annex to the international 
prelrminory examination report; 

claim(s) __N2Q based on the amended documents submitted accondlng to 

the provision of Rule 28 or Rule 41 of the Patent Cooperation Treaty; 

claim(s) based on the amended documents submitted according to the 

provisKDn of Rule 51 of the implementing Regulations of the Patent Law. 

°" ^"'"^'^ "'^'^ initlally-submitted international 

applicatton documents; 

Rg(s) _ , based on the Chinese version of the annex to the international 

preliminar/ examination report: 

l=>g(s) based on the amended documents submitted according to the 

provision of Rule 28 or Rule 41 of the Patent Cooperation Treaty; 

Fig(s) — L:3__ , based on the amended documents submitted according to the 
prov«,on of Rule 44 of the Implementing Regulations of the Patent Law. 
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5. 0 The following reference clocunnent(s) is/are cited In this Office Action (its/their serial 
numberfsj will continue to be used in the subsequent course o f examination): 




6. Concluding comments on the examination: 
□ On tlie description: 

□ What is stated in the application comes within the scope of that no patent right 
shall be granted as prescribed in Art. 5 of the Patent Law. 

□ The description is not in conformity with the provision of Art. 26, para. 3 of the 
Patent Law. 



0 On the claims: 

O Claim{s) come{s) within the scope of that no patent right shall be granted 

as prescribed In Art. 25 of the Patent Law. 
^ Claim(s) — 1.2.5,6, n, 14, 19 . has/have no novelty as prescribed in Art. 22, 

paro. 2 of the Patent Law. 

- 3. 4. 7,8-10, 12. 13, 1.^-]fl ?n has/have no inventiveness as 
prescribed in Art. 22, pdra. 3 of the Patent Law. 

□ Claim(s) , has/have no pratical applicability as prescribed in Art. 22. para. 4 

of the Patent Law. 

□ Clalm(s) 

Patent Law. 

□ Claim{s) _ is/are not in confomiity with the provision of Art. 31, para. I of the 

Patent Law. 

0 Claim(s) 2-IQ. 1? ^ 2Q is/are not In conformity with the provisions of Rules 20 to 

23 of the Implementing Regulations. 

□ Claim(s) fs/qre not in confomrjlty with the proviston of Art. 9 of the Patent 

Law. 

□ Claim (s) 



is/are not in confomnify with the provision of Art. 26, para. 4 of th* 



Implementing Regulations, 



is/are not in conformity with the provisfon of Rule 12, para. 1 of the 



See the text portion of this Office Action for detailed analysis of the above 
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concluding comments. 

7. Based on the above concluding comments, the examiner deems that 

□ the applicant should make amendment to the application document(s) according 
to the requirements put forward in the text portion of this Office Action. 

□ the applicant should expound in his/its observations why the captioned patent 
application is patentable and make amendment to what is not In conformity with 
the provisions pointed out in the text portion of this Office Action, otherwise, no 
patent right shall be granted. 

a the patent application contains no substantive content(s) for which a patent right 
may be granted, if the applicant has no sufficient reasonfsj to state or his/its stated 
reason(s) is/are not sufficient, said application will be rejected. 

□ 

8. The opplieant shnulH note the fQliowin^ jtftrny 

( 1 ) Under Art. 37 of the Patent Low, the applicant should submit his/its observations 
v^rithin feyr months from the date of receipt of this Office Action; if, without any 
justified reason(s), the time limit for making written response is not met, said 
application shall be deemed to have been withdrawn. 

(2) The amendment made by the applicant to said application should be In conformity 
with the provision of Art. 33 of the Patent Law, the amended text should be In 
duplicate and its form should conform with the related provisions of the Guide to 
Examination. 

(3) If no arrangement is made In advance, the applicant and/or the agent shall not 
come to the Chinese Potent Office to have an Interview with the examiner. 

(4) The observations and/or amended fex» should be sent to the ReceMna Section of 
»he Chinese Patent OHIee by man or by personal deOvery, if net sent to the Receiving 
Section by mall or by personal delivery, the doeument(s) will have no legal effect. 

9. This Office Action consists of the text portion totalling 4 page(s) and of the 

following attachment(s): 

^ — copy(copies) of the reference document(s) totalling 29 page(s). 

Examination Dept. No. — 2 — Examiner Xi«ingiin 
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